X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.jackrabbit%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjackrabbit%2FArgeoSecurityManager.java;h=96260b426f466ca5b69185c4f432d4672ca21df8;hb=19f918960dfca4fd10de1fbe33554b8e1ce3b62c;hp=8f2632d0ff0ccf0445c968a86f8b4e771c36c58b;hpb=8b8ee149b20e2578a55e17413fa5f7399ff7ba14;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java index 8f2632d0f..96260b426 100644 --- a/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java +++ b/security/runtime/org.argeo.security.jackrabbit/src/main/java/org/argeo/security/jackrabbit/ArgeoSecurityManager.java @@ -27,7 +27,6 @@ import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.api.security.user.UserManager; import org.apache.jackrabbit.core.DefaultSecurityManager; import org.apache.jackrabbit.core.security.SecurityConstants; -import org.apache.jackrabbit.core.security.SystemPrincipal; import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager; import org.argeo.ArgeoException; import org.argeo.jcr.JcrUtils; @@ -36,18 +35,22 @@ import org.springframework.security.GrantedAuthority; /** Intermediary class in order to have a consistent naming in config files. */ public class ArgeoSecurityManager extends DefaultSecurityManager { - public final static String HOME_BASE_PATH = "/home"; - private Log log = LogFactory.getLog(ArgeoSecurityManager.class); + /** + * Since this is called once when the session is created, we take the + * opportunity to make sure that Jackrabbit users and groups reflect Spring + * Security name and authorities. + */ @Override - /** Since this is called once when the session is created, we take the opportunity to synchronize Spring and Jackrabbit users and groups.*/ public String getUserID(Subject subject, String workspaceName) throws RepositoryException { long begin = System.currentTimeMillis(); + if (log.isTraceEnabled()) + log.trace(subject); // skip Jackrabbit system user - if (!subject.getPrincipals(SystemPrincipal.class).isEmpty()) + if (!subject.getPrincipals(ArgeoSystemPrincipal.class).isEmpty()) return super.getUserID(subject, workspaceName); Authentication authen; @@ -59,10 +62,6 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { else authen = authens.iterator().next(); - // skip argeo system authenticated - // if (authen instanceof SystemAuthentication) - // return super.getUserID(subject, workspaceName); - UserManager systemUm = getSystemUserManager(workspaceName); String userId = authen.getName(); @@ -70,11 +69,10 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { if (user == null) { user = systemUm.createUser(userId, authen.getCredentials() .toString(), authen, null); + setSecurityHomeAuthorizations(user); log.info(userId + " added as " + user); } - //setHomeNodeAuthorizations(user); - // process groups List userGroupIds = new ArrayList(); for (GrantedAuthority ga : authen.getAuthorities()) { @@ -95,92 +93,52 @@ public class ArgeoSecurityManager extends DefaultSecurityManager { group.removeMember(user); } - // write roles in profile for easy access -// if (!(authen instanceof SystemAuthentication)) { -// Node userProfile = JcrUtils.getUserProfile(getSystemSession(), -// userId); -// boolean writeRoles = false; -// if (userProfile.hasProperty(ArgeoNames.ARGEO_REMOTE_ROLES)) { -// Value[] roles = userProfile.getProperty(ArgeoNames.ARGEO_REMOTE_ROLES) -// .getValues(); -// if (roles.length != userGroupIds.size()) -// writeRoles = true; -// else -// for (int i = 0; i < roles.length; i++) -// if (!roles[i].getString().equals(userGroupIds.get(i))) -// writeRoles = true; -// } else -// writeRoles = true; -// -// if (writeRoles) { -// userProfile.getSession().getWorkspace().getVersionManager() -// .checkout(userProfile.getPath()); -// String[] roleIds = userGroupIds.toArray(new String[userGroupIds -// .size()]); -// userProfile.setProperty(ArgeoNames.ARGEO_REMOTE_ROLES, roleIds); -// JcrUtils.updateLastModified(userProfile); -// userProfile.getSession().save(); -// userProfile.getSession().getWorkspace().getVersionManager() -// .checkin(userProfile.getPath()); -// } -// } - - if (log.isTraceEnabled()) - log.trace("Spring and Jackrabbit Security synchronized for user " + if (log.isDebugEnabled()) + log.debug("Spring and Jackrabbit Security synchronized for user " + userId + " in " + (System.currentTimeMillis() - begin) + " ms"); return userId; } - protected synchronized void setHomeNodeAuthorizations(User user) { - // give all privileges on user home - // FIXME: fails on an empty repo + protected synchronized void setSecurityHomeAuthorizations(User user) { + // give read privileges on user home String userId = ""; try { userId = user.getID(); - Node userHome = null; - try { - userHome = JcrUtils.getUserHome(getSystemSession(), userId); - if (userHome == null) { - userHome = JcrUtils.createUserHome(getSystemSession(), - HOME_BASE_PATH, userId); - //log.warn("No home available for user "+userId); - return; - } - } catch (Exception e) { - // silent + Node userHome = JcrUtils.getUserHome(getSystemSession(), userId); + if (userHome == null) + throw new ArgeoException("No security home available for user " + + userId); + + String path = userHome.getPath(); + Principal principal = user.getPrincipal(); + + JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession() + .getAccessControlManager(); + JackrabbitAccessControlPolicy[] ps = acm + .getApplicablePolicies(principal); + if (ps.length == 0) { + // log.warn("No ACL found for " + user); + return; } - if (userHome != null) { - String path = userHome.getPath(); - Principal principal = user.getPrincipal(); - - JackrabbitAccessControlManager acm = (JackrabbitAccessControlManager) getSystemSession() - .getAccessControlManager(); - JackrabbitAccessControlPolicy[] ps = acm - .getApplicablePolicies(principal); - if (ps.length == 0) { - // log.warn("No ACL found for " + user); - return; - } - - JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0]; - - // add entry - Privilege[] privileges = new Privilege[] { acm - .privilegeFromName(Privilege.JCR_ALL) }; - Map restrictions = new HashMap(); - ValueFactory vf = getSystemSession().getValueFactory(); - restrictions.put("rep:nodePath", - vf.createValue(path, PropertyType.PATH)); - restrictions.put("rep:glob", vf.createValue("*")); - list.addEntry(principal, privileges, true /* allow or deny */, - restrictions); - } + JackrabbitAccessControlList list = (JackrabbitAccessControlList) ps[0]; + + // add entry + Privilege[] privileges = new Privilege[] { acm + .privilegeFromName(Privilege.JCR_READ) }; + Map restrictions = new HashMap(); + ValueFactory vf = getSystemSession().getValueFactory(); + restrictions.put("rep:nodePath", + vf.createValue(path, PropertyType.PATH)); + restrictions.put("rep:glob", vf.createValue("*")); + list.addEntry(principal, privileges, true /* allow or deny */, + restrictions); } catch (Exception e) { e.printStackTrace(); - log.warn("Cannot set authorization on user node for " + userId - + ": " + e.getMessage()); + throw new ArgeoException( + "Cannot set authorization on security home for " + userId + + ": " + e.getMessage()); } }